HttpRequestValidationException Class (System.Web)

.NET Framework Class Library

HttpRequestValidationException Class

The exception that is thrown when a potentially malicious input string is received from the client as part of the request data. This class cannot be inherited.

Namespace: System.Web
Assembly: System.Web (in system.web.dll)

Syntax

Visual Basic (Declaration)

<SerializableAttribute> _
Public NotInheritable Class HttpRequestValidationException
    Inherits HttpException

Visual Basic (Usage)

Dim instance As HttpRequestValidationException

[SerializableAttribute] 
public sealed class HttpRequestValidationException : HttpException

C++

[SerializableAttribute] 
public ref class HttpRequestValidationException sealed : public HttpException

/** @attribute SerializableAttribute() */ 
public final class HttpRequestValidationException extends HttpException

JScript

SerializableAttribute 
public final class HttpRequestValidationException extends HttpException

Remarks

Constraining and validating user input is essential in a Web application to prevent hacker attacks that rely on malicious input strings. Cross-site scripting attacks are one example of such hacks. Other types of malicious or undesired data can be passed in a request through various forms of input. By limiting the kinds of data that is passed at a low level in an application, you can prevent undesirable events, even when programmers who are using your code do not put the proper validation techniques in place.

Request validation detects potentially malicious client input and throws this exception to abort processing of the request. A request abort can indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. It is strongly recommended that your application explicitly check all input regarding request aborts. However, you can disable request validation by setting the validateRequest attribute in the @ Page directive to false, as shown in the following example:

<%@ Page validateRequest="false" %>

To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest attribute of the pages section to false, as shown in the following example:

<configuration> 
  <system.web> 
    <pages validateRequest="false" /> 
  </system.web> 
</configuration>

To disable request validation for all applications on your server, you can make this modification to the Machine.config file.

Note
It is strongly recommended that your application explicitly check all inputs it uses in addition to the request validation performed by ASP.NET. The request validation feature cannot catch all attacks, especially those crafted specifically against your application logic.

Example

The following code example demonstrates how to check for malicious user input by using an HttpRequestValidationException.

Visual Basic

<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
    Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs)
        Label1.Text = txt1.Text
    End Sub
</script>

<html  >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:TextBox id="txt1" Runat=server />
        <asp:Button ID="Button1" Runat="server" Text="Button" OnClick="Button1_Click" />
        <br /><br />You entered: <asp:Label ID="Label1" Runat="server" Text="Label" />.
    </div>
    </form>
</body>
</html>

<%@ Page Language="C#" %>

<script runat="server">
    void Button1_Click(object sender, EventArgs e)
    {
        Label1.Text = txt1.Text;
    }
</script>

<html>
<head id="Head1" runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:TextBox id="txt1" Runat=server />
        <asp:Button ID="Button1" Runat="server" Text="Button" OnClick="Button1_Click" />
        <br /><br />You entered: <asp:Label ID="Label1" Runat="server" Text="Label" />.
    </div>
    </form>
</body>
</html>

.NET Framework Security

AspNetHostingPermission for operating in a hosted environment. Demand value: LinkDemand; Permission value: Minimal.

Inheritance Hierarchy

System.Object
   System.Exception
     System.SystemException
       System.Runtime.InteropServices.ExternalException
         System.Web.HttpException
          System.Web.HttpRequestValidationException

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Platforms

Windows 98, Windows 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see System Requirements.

Version Information

.NET Framework

Supported in: 2.0, 1.1

Reference

HttpRequestValidationException Members
System.Web Namespace